From b756893fa568e9848236f5c15c9fe6e9ac232b46 Mon Sep 17 00:00:00 2001 From: fruchti Date: Thu, 9 Mar 2023 15:24:22 +0100 Subject: [PATCH] Allow for `git pull` before auto-upgrade --- hosts/Rupert.nix | 11 ++++++--- options/auto-upgrade.nix | 48 +++++++++++++++++++++++++++++++++------- 2 files changed, 48 insertions(+), 11 deletions(-) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index 3238f0b..8685d9f 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -88,9 +88,14 @@ in # accidentally delete configuration.nix. # system.copySystemConfiguration = true; - system.autoUpgrade.enable = true; - system.autoUpgrade.allowReboot = true; - system.autoUpgrade.sendEmail = true; + system.autoUpgrade = { + enable = true; + allowReboot = true; + sendEmail = true; + gitPull = true; + gitDeploymentKeyFile = "/secrets/ssh_id_gitea_nixos_configuration"; + }; + # systemd.services.nixos-upgrade.onFailure = lib.mkIf config.system.autoUpgrade.enable [ "status-email@%n.service" ]; services.btrfsScrub = { diff --git a/options/auto-upgrade.nix b/options/auto-upgrade.nix index a98fde1..eb9f4e1 100644 --- a/options/auto-upgrade.nix +++ b/options/auto-upgrade.nix @@ -15,6 +15,20 @@ in Whether to send a status email after an upgrade. ''; }; + gitPull = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to run `git pull` in /etc/nixos before starting the upgrade. + ''; + }; + gitDeploymentKeyFile = mkOption { + type = types.str or null; + default = null; + description = mdDoc '' + Private SSH key used for the `git pull` operation (if `gitPull` is enabled). + ''; + }; }; config = mkIf cfg.enable { @@ -25,6 +39,8 @@ in date = "${pkgs.coreutils}/bin/date"; readlink = "${pkgs.coreutils}/bin/readlink"; grep = "${pkgs.gnugrep}/bin/grep"; + git = "${pkgs.git}/bin/git"; + ssh = "${pkgs.openssh}/bin/ssh"; shutdown = "${config.systemd.package}/bin/shutdown"; sendmail = "${pkgs.system-sendmail}/bin/sendmail"; upgradeFlag = optional (cfg.channel == null) "--upgrade"; @@ -72,9 +88,23 @@ in ''} output_file="$(mktemp)" - ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} 2>&1 | tee "$output_file" || exit_code=$? - send_email=no + email_subject_additions= + + ${optionalString cfg.gitPull '' + { + cd /etc/nixos + echo "→ Refreshing git repository at /etc/nixos." | tee -a "$output_file" + if ! ${optionalString (cfg.gitDeploymentKeyFile != null) ''GIT_SSH_COMMAND='${ssh} -i "${cfg.gitDeploymentKeyFile}" -o IdentitiesOnly=yes' ''}${git} pull 2>&1 | tee -a "$output_file" ; then + send_email=yes + email_subject_additions="$email_subject_additions, errors during git pull" + fi + } + ''} + + echo "→ Running upgrade." | tee -a "$output_file" + ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)} 2>&1 | tee -a "$output_file" || exit_code=$? + email_subject="Upgrade succeeded" email_body="The system upgrade started at $start_time has succeeded." if [ "$exit_code" -ne 0 ] ; then @@ -86,6 +116,7 @@ in booted_version="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" built_version="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + echo "→ Checking if a reboot is needed." | tee -a "$output_file" if [ "$booted_version" != "$built_version" ] ; then version_comparison="$(cat <<-EOF The booted kernel version @@ -111,16 +142,16 @@ in email_body="$(printf "%s\n%s" "$email_body" "The system will reboot now.")" do_reboot="yes" activate_configuration="yes" - email_subject="$email_subject, system will reboot" + email_subject_additions="$email_subject_additions, system will reboot" else email_body="$(printf "%s\n%s" "$email_body" "The upgraded configuration will be activated on the next reboot.")" - email_subject="$email_subject, reboot required" + email_subject_additions="$email_subject_additions, reboot required" fi fi ${optionalString (cfg.operation == "switch") '' if [ "$activate_configuration" = "yes" ] ; then - echo "Activating new configuration." + echo "→ Activating new configuration." | tee -a "$output_file" ${nixos-rebuild} switch ${toString cfg.flags} 2>&1 | tee -a "$output_file" || exit_code=$? fi ''} @@ -131,7 +162,7 @@ in possible_warnings="$(${grep} -e "^trace:" <<<"$upgrade_output" || true)" if [ "$possible_warnings" != "" ] ; then send_email=yes - email_subject="$email_subject with warnings" + email_subject_additions="$email_subject_additions with warnings" email_body="$(cat <<-EOF $email_body @@ -145,10 +176,11 @@ in ${optionalString cfg.sendEmail '' if [ "$send_email" = "yes" ] ; then + echo "→ Sending e-mail to ${toAddress}." ${sendmail} -t -X - <<-EOF To: ${toAddress} From: ${fromIdentity} - Subject: $email_subject + Subject: $email_subject$email_subject_additions Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 X-Priority: 3 @@ -164,7 +196,7 @@ in ''} if [ "$do_reboot" = "yes" ] ; then - echo "Rebooting system." + echo "→ Rebooting system." ${shutdown} -r +1 fi